2. Add the route to server ip 160.1.1.100/32, the next hop is 111.0.0.2, so server packets can be sent to vpn-instance.
#
ip route-static 160.1.1.100 255.255.255.255 111.0.0.2
#

As the above solution, the protocol packets to hwtacacs server will be sent out from ethernet0/0/0 and will come back from ethernet0/0/1, the packets are successfully imported to vpn-instance. ne40/80 can ping hwtacacs server directly according to public routing table and can be authenticated and authorized by hwtacacs server located in mpls vpn successfully.

Root Cause

Null.

Suggestions

1. This solution is only available for routing-mode LPU board but not available for switching-mode LPU, because the two looped interfaces of switching-mode LPU will learn mac-address from each other but they share the same mac-address.
2. This solution is also applicable for radius server located in vpn-instance.